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1. INTRODUCTION 


Information security is a major issue in the internet world. As major proportions of the applications that we use 
today are internet based it is necessary to take care of the security of the information that we use. The loss due to 
the lack of security concern for the financial applications is very huge and sometimes unacceptable. It is, therefore, 
necessary to protect the data as well as the software. As with the technology improvements, the challenges that we 
face for protecting the data also increases. When it comes to banking applications, the need for information 


security is more and any breach of information security will affect the reputation of the organization. 


According to the Legal Information Institute, information security is defined as the protection of 
information and information systems against unauthorized activities and actions. The triad of information security 
are: (CIA) Confidentiality, Integrity and Availability. And the other principles of information security that should 


be considered are Authenticity. 


Confidentiality: Confidentiality of the information is to protect the information from unauthorized access. 
This principle maintains the secrecy of the data and reveals the information only to the authorized user. Integrity: 
Data Integrity means that the data should be modified only by an authorized user. Data integrity ensures the 
completeness and accuracy of the data. Availability: This ensures that the data should be accessible by an 
authorized user at any point in time. Authentication: Authentication of the system involves identifying the parties 


involved in the communication network. 


Any system that provides information security should always include the CIA triad and other security 
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services like authentication, nonrepudiation etc. 


Security metrics provide a degree to which the security of a given application is reliable. This paper proposes a 
framework by which the level of security can be evaluated. An application related to banking is considered for evaluating 


the proposed framework. 


The remainder of this paper is structured as follows: Section 2 gives the threats related to online applications, 
Section 3 describes the proposed process-oriented approach for evaluating the security requirements in online applications 


and Section 4 concludes the paper. 
2. SECURITY THREATS 


With the help of technological improvements, the application users get their services in an efficient way. On the other 
hand, the attackers are also gaining access to the protected system with their technical skills. The attackers wanted to prove 
their technical knowledge that they have gained. Intrusion in financial institutions will affect the trustworthiness of the 


institution as well. Hence security violation needs to be properly handled. 
Types of Attacks in Banking 


Customers of the banks find it convenient to use the online services provided by the banks. These online services provided 
by the banks makes the customer feel comfortable to get their services from the place where they are located and they can 
also avail themselves the banking services at any time. Though online banking benefits the customers in many ways, there 
are certain issues or sometimes the customers are reluctant to use online banking services because of security concerns. 


The types of attacks that could happen in online banking can be classified as: 


e Credential Stealing: The credentials of the bank customers were attacked by the attacker and the attacker tries to 
gain the users’ credentials with the help of malicious software installed in the computer from where the customer 
gets the online banking services. There are other ways by which the user’s credential is attacked by the attacker. 
Some of them are by using phishing and software like keyloggers which try to capture the credentials of the users. 


Additional verification such as two-factor authentication helps in eliminating these threats. 


e Channel Breaking attack involves manipulating the data when intercepting the communication channel between 


the bank server and user [3]. 
3. PROPOSED PROCESS MODEL 


This paper proposes a security metric process shown in Figure |. The process identified for the security metric has four 


major components: planning, developing solutions, validation and taking action. 
Planning Phase 


The planning phase involves identifying the security requirements for the application under consideration. For Online 
banking, the services provided by the banks online have to be evaluated with respect to the security requirements. This 
process has to take the input from the regulatory bodies of banking authority, and based on the regulations given by the 
governing authorities, this phase should identify the other requirements. Apart from identifying the security requirements, 
this phase includes other activities like forming a security committee and the duties of this committee includes: identifying 


the right people for the metric process and forming a team, managing the team with effective communications and 
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identifying the technological requirements or evaluating the security requirements of the application under consideration. 


The planning phase should also consider the kinds of attacks that could happen in the application. Identifying the 
risk is another important activity in this phase. Risk mitigation plans should be identified for the risk identified related to 


the application under consideration. 


Other supporting activities included in this phase are identifying the scope of the planning process, setting the milestones, 
identifying the resources, identifying the roles and responsibilities, identifying the measurement and improvement criteria 


and identifying the communication link. 
Develop Solutions 


The second phase in the security evaluation process is developing the solutions based on the requirements identified in the 
previous phase. Designing the solution for the identified requirements should follow the design methodology. Once the 
solution for the evaluation process is created, it should be made available to all the concerned people. Other activities 


included in this phase are documentation, support and maintenance activities. 
Validation Phase 


Once the security solution is developed, the next step is to evaluate the developed solution to check whether it meets the 
required criteria or not. This phase involves checking the developed solution to identify the errors. The other activities 


included in this phase are monitoring, measuring and comparing the process with the baseline data. 
Take Action 


This phase involves identifying the measures for improving the design. The other activities included in this phase includes: 
correcting the errors identified in the validation phase, giving training to all the stakeholders and supporting them and 


identifying the new design with an improved solution. 


The proposed process model is evaluated by choosing the online banking application and the results were 
evaluated. The results of the evaluation process identified the security threats involved in the online applications. The 
vulnerabilities of the threats have to be identified and the solution for the vulnerabilities have to be designed. The results of 


this process indicate the actions to be considered for improving the security measures for the online applications. 
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Figure 1: Security Metric Process. 
4. CONCLUSIONS 


This paper gives the need for security evaluation methods in online applications. The aim of this paper is to propose a 


process-oriented approach for evaluating the security requirements of online banking applications. As security is a major 


concern in today's internet environment and banking services included in financial management, security requirements are 


a major concern. This paper identified a four-step process model which includes: planning, solution development, 


validation and taking action for evaluating the security requirements. The proposed model is also evaluated for banking 


applications and the results of the same gives the improved solutions to be considered in the future design process. 
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